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SCHEMATISE 

The following fs a description of SCHEMATISE, a 

proposal for a program that proves very elementary theorems 
through the use of planning* The method is most easily 
explained through an example due to Black* 
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The above problem has an Interpretation that makes ft a much 
easier one for humans. 

ft 1 ven 



tit (In pencil desk) 
t2: (in desk home) 



t3: Cfn home county) 

tfc: (forall (x y) (Implies (In x y> (at x y))) 
t5: (forall Cx y z) (Implies (and (in x y> (at y z)) 
(At x z))i 

Prove 

t6: (at pencil county) 

As far as the theorem prover Is concerned It Is no 
easier to solve the problem given one represents! Jon rather 
than the other without additional Information. A human 
would much rather work with the second representation stnce 
he has a well defined model for it. In order to make this 
paper morn readable we shall work with the second 
representation* However, the reader should be careful to 
remember that In the sequel the computer program has a very 
different perspective from hfs own. 

First the program connects all the theorems together 
into a net whfch we shall the theorem H£i> It Ts understood 
that the theorem net also reflects the structure of the 
rules of inference (operators) of the underlying logical 
system. In the system which we shall study the sole rule of 
inference wtll be nodus nonens together wFth the 
slmul taneous i nstant tat ion of any f rep var I a b 1 es with 
constants. The theorem net for our example ts diagrammed In 
figure sO, 




Theorem ^ f 



Each box (such as the one containing theorem t2) stores the 
Information for binding variables In that particular 
theorem* Without some Insight fnto the problem structure 
there Is not much th*t the theorem prover can Ho except to 
initiate a straight backwards search for the proof of the 
theorem* But suppose that the theorem prover fs more 
fortunate. It might expect that (in pencil desk) is 
relevant to the proof of (at pencil county) since the 
constant pencil appears no where else in the problem* Or 
perhaps that the theorem prover Is not allowed to use 
theorem tl and asked to prove theorem t6' instead of theorem 
t6 where 

t6 T : (implies (in pencil desk) (at pencil county)) 

Now the theorem prover has enough information to try to 
form a plan. Following Mlnsky whe shall call the statements 
(such as (in pencil desk)) that the theorem prover thinks 
arp. relevant to the proof Islands * We define the difference 
between two statements A and B to be the subgraph of the 
theorem net that can possibly carry A into B. In our case 
the difference between (in pencil desk) and (at pencil 
county) Is the whole theorem net* We might proceed to 
reduce the difference between our antecedent and consequent 
by chaining forward from our island to try to match the 
consequent. The $ stand for constants that are presently 
unknown to us* 
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Pushing (in pencil desk) through tk leads us to a dead 
end* But pushing through t5 leads us to two 

expressions that match fat pencil county). See figure si. 
We want to reverse the process and chain back from the 
consequent to our island, A good heuristic Is to pick the 
expression that best matches the consequent as the first one 
to chain hack from. If we violate the heuristic and chain 
hack from (at $ $) we obtain ffgure s2. As the reader can 
see chaFninfl hack from (at S $) does not take us all the 
way back to our tsland (In pencil desk). Therefore we must 
abandon the above plan. Chaining back from (at pencil 5), 
we obtain figure s5* The theorem prover realizes that in 
order to complete the proof of (at pencil county) It must 
prove the lemma (at desk county). 

We would like to consider the example fron a slight ly 
different viewpoint* Suppose that we transpose chaining 
forward from our island and the chaining backward from the 
goal. Chaining backward fron (at pencil county) we obtain a 
■-.er r P-! at i sed goal j^rg fi (figure sU). Every proof of (at 
pencil county) has a graphical homomorphic Image In the 
schematized goal tree* The theorem prover can obtain alt 
proofs by grinding away Inside the schematized goal tree* 
Suppose that our island Is (In home county). We note that 
(Fn home county) matches both (in $ S) and (In $ county). 
Unfortunately the plan (figure sS) generated by plugging (In 
home county) into (in $ $) cannot be fulfilled since tat 
county county) Is unproveahle* Even if the theorem prover 
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had a model it would be misled if the model attached the 
Interpretation true to {at county county), PlugglnR (In 
home county) into (In $ county) leads to a plan ( figure s6) 
that can be fulfilled* Note that two applications of 
therorem t5 are needed to prove the theorem. Of course if 
we ar^. given two islands which are both relevant to the same 
proof we can often form a much hetter plan with both than 
with either one alone* 

Each tine the theorem prover plugs an island Into a 
schematized goal tree. It should check to see If the 
resulting plan Is circular* Thus (in pencil desk) cannot be 
plugged Into (in t $) In figure s7 since it forces (at $ 
county) to become (at pencil county) whTch makes the plan 
circular. Therefore (in pencil desk) can only be plumed 
into (In pencil $). The resulting graph Is figure $8* 

In each case we have In fact constructed a whole schema 
of plans. Within any one schema we can have many degrees of 
freedom* 

I. There can be more than one route from the 
fsland(s) to th« consequent » 



2* The constants represented by the $ must be 



found. 



3* Some loops in the plan can be unwound* 

Flexfblility In planning is a mixed blessing. A good deal 
of rigldtty Is necessary In order to proceed 



straightforwardly from the plan to a rigorous proof. On the 
other hand our plans must be somewhat adaptable so that we 
are not stymied by the ffrst difficulty* The planning 
mechanism of f5*P.S, Illustrates the usefullness of 
control 1 ed f lex lb I 1 i ty in plann log* 

We would now like to turn to the Question of where to 
obtain islands for planning. One source Is pure syntactic 
analysis. The theorem prov«r should carefully examine the 
consequences of the expression to be proved* The 
CpnseauencQg of tfrq conseaqgnj heuristic Is try to find 
Islands arrionK the consequences of the consequent of the 
theorem to be proved* For example fn the problem to prove 
(at pencil county) suppose we had the additional theorem 

t7: {Implies (not (in pencil desk)) (not (at pencil 
county) ) ) 

Using the consequencl es of the consequent heuristic the 
theorem prover should find the island (In pencil desk)* How 
can one transform the stick figure below Into one with four 
squares by moving at most three sticks? 
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In this case our consequence is that we have four squares. 
Rut ff we ^re to make four squares from only twelve sticks 
then at least four sticks must each have two squares in 
common. Thus our Island is the figure below 



Another syntactic trick Is to try to trace the constants 
hack to their source fn the data base of the problem* 
Recall that In our example that the constant pencil could 
only have come from the expression On pencil desk). 
Hypotheses usually make excellent candidates as islands* Of 
course* there Bre exceptions to the rule* For example, if 
the theorem prover were asked to prove (Implies (In home 
Texas) (at pencil county)) It would try to use (in home 
Texas) as an Island only to find that (In home Texas ) Is 
actual ly i r re levant . 

Models, special knowledge, and analogies are often 
sources of Islands. Suppose the theorem prover knew how to 
inscribe a circle in a given triangle. It could use an 
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analogous method to Inscribe a sphere in a given 
tetrahedron. Models often contain links that are useful in 
the construction of islands* The links make some relevant 
expressions In the data base of the problem more accessible 
to the theorem prover. 

Suppose the theorem prover had the following 
information about cubes a, b e* and d* 

vis (di recti yabove d a) 

v2: (restfngon d c) 

v3; (restfnflon c b) 

vfc: (forall (x y) (equivalent (supporting x y) 
( rest ingon y x) } } 

v5: (forall (x y) (equivalent (di erect 1 yabove x y) 
(dl rect 1 yhelow y x))> 

v6: (forall (x y z) (implies (and (di rect lyhelow y z) 
(di recti ybelow x y)) (directly below x z))) 

v7; (forall (x y) Umplles (supporting * yj 

(di rect 1 yhelow x y))) 

A model for the situation mlftht look like figure s9. 
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Clearly the constant b [s more accessible from the constant 
a In the model than from the theorems* Thus models are 
Important ?n planning not only for pruning those expressions 
that are false in the interpretation of the model hut also 
for the connections they provide which suggest new plans* A 
model keeps the state of the system In a continually updated 
canonical form. All other information about the system is 
derived from the canonical form. 

Theorem provers should do more thinking about their 
problems before blindly bepjnnlnp: a huge tree search, An 
Intelligent problem solver would try to find key nodes (such 
as (at * county) In figure sU) in the schematized goal tree. 
Of course most of out analysis for statements as Islands 
goes dually for theorems* Also the theorem prover should do 
a series-parallel loop analysis to get a better Idea of the 
size of the problem that It faces and to learn more about 
Its structure. I have been trying to develop a theory of 
the decomposition of plannlnR nets analogous to the existing 
serl es-paral lei decompos i t Ion theory for sequential 
machines* There are clues In the difference between the 
Island(s) and the consequent that can save the theorem 
prover a great deal of work, For example MATCHLESS can 
quite easily be marie to find all the loop structures of the 
form of Cffgure sll) In the schematized goal tree* After a 
proving a statement that satlffes A, one would often like to 
go back through theorem tl to see if anytlng else can picked 
up almost for free* 
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The distinguishing characteristic of SCHEMATIZE Is that 
the relationship between the Islands and the statement to be 
proved is shown. To have some Islands with no Indication as 
to how they should be used simply limits the size of the 
tree to be searched; the theorem proyer must still do 
heuristic tree searching* In a stronger system such as 
SCHEMATIZE the executive of the theorem prover does not 
search the poal tree but rather follows along a plan uslnp 
the Indicated relations between Islands* Of course 
SCHEMATISE works only for problems with a simple logfeal 
structure* It can be generalized sliRhlty to more powerful 
deductive procedures using natural deduction but the 
analysis become exremely complicated. Sometimes one can 
usefully analyze part of a more complicated problem using 
SCHEMATISE. 
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MATCHLESS 

MATCHLESS Is a pattern matching program wftten In LISP, 
It is most succinctly described as a cross between SNOBOL 
and CONVERT, The most Important respect In which MATCHLESS 
differs form CONVERT Is that MATCHLESS doesn't have a 
dictionary* Rinding* for MATCHLESS variables are kept on 
the LISP push down Hst* Consequently MATCHLESS can very 
conveniently be used wfthfn LISP progs* I think that It 1s 
An important principle in language design that the user 
should be allowed to write In the level that he thinks Is 
most suitable for his task* The various levels of code 
should all be compatible with one another so that It Is 
possible to use them all Fn a single body of code. For 
example It would be useful to be able to write LAP code In 
the middle of LISP progs. Furthermore low level code should 
not have to run slower simply in order to preserve the 
ahility for users to write at a higher level, 

A variable v in MATCHLESS can match three types of 
objects : 

(1) atoms (the fTrst character of the name of v must be 
a $). 

£2) S-expressions Cthe first character of the name of v 
must be a ■) 
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(3) fragments of lists (the first character of the name 
of v must be an *) 

Any type of variable may he In any one of four modes: VAR 

(for vat-fab!*), CONST (for constant), GENERIC, or COMP (for 

computed}. The Idea for the VAR and CONST modes comes farm 

SNOBOL; the GENERIC mode from CONVERT and AXLE, The COMP 

mode allows one to Introduce new modes and types Into 

MATCHLESS, All of MATCHLESS could be written fn the COMP 
mode. The following atoms are given special Interpretations 
by MATCHLESS. 

(1) $ will match any atom. 

(2) * will match any 5-expression* 

C3) * will match any fragment of a list Including the 
nul 1 fragment . 

Furthermore MATCH LKSS hd* the standard Con^an operators cr 
patterns* For example if pat Is a pattern then <=NDT» pat) 
will match any S-expresston that doesn't match pat. 
Similarly =and= may be used to require that an S-expressfon 
match a number of patterns and -or* may be used to require 
that an S-expression match any one of a number of patterns* 
The Idea for Boolean operations on patterns comes from 
CONVERT and AMBIT* 

There Is a MATCHLESS pattern associated wfth each 
MATCHLESS variable. The Idea of associated patterns for 
pattern variables comes from CONVERT and AXLE, Executing 
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<var v w) or Cfteneric v w) will put v In the VAR or GENERIC 
mode respectively with the as&ocfate pattern w, A variable 
In the var or generic mode has no value; It matches 
according to fts associated pattern* When a variable in the 
VAR node matches ft takes the value of the expression that 
ft matches and its mode changes to CONST. A GENERIC 
variable differs form a VAR variable Fn that it fs not 
modified when ft matches, A variable fn the CONST mode 
matches according to Its value. Executing (msetq v r) will 
put v fn the CONST mode wfth value r* The default mode Is 
VAR with an innocuous associated pattern* 

Suppose SB, =A, and *C are all in the VAR mode, If 
MATCHLESS attempts to match the pattern (* JB A =A SB *C) 
against (K Hi G A (K) H H A (L) M H f A CM) I B C) then the 
variables mode will be changed to CONST and they wilt have 
the fol 1 owing va 1 ues , 



SB 
■A 
*C 



I 
CM) 

-B C- 



The dashes In the value of *C ar& meant to fndicate that the 
value of *C is a fragment of a list. 
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PLANNER 

SCHEMATISE can be conceived to be searching through a 
planning space. Indeed any LISP program can ^ conceived 
as a tree searching program since the comnutatfon Ttself Is 
a tree* Thus it would be useful to have a powerful trep 
searching language In which we could wrfte SCHEMATISE and 
other tree searching theorem proving procedures. PLANNER 
Is a theorem prover which hopefully represents still another 
step toward such a general tree searching language* PLANNER 
gets Its name from the fact that it was originally created 
as a language In which a robot could formulate plans about 
Its possible actions* The theorems of PLANNER are 
executable data structures* An example of such a theorem Is 
TRANSITIVE (below) which expresses a necessary condition for 
a transitive relation, 

(TRANSITIVE (THPROG {$ PREDICATE $X $Y SZ) 

(CONSEQUENT (*X SPREMCATE JZ)) 

(PROVED (TRANSITIVE SPRED)) 

(PROVEARLE (SX ^PREDICATE $¥)) 

(PROVEARLE <$Y ^PREDICATE SZ)) 

(FINISHED) 
) ) 
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All theorems for PLANNER are imperatives* Imperative 
theorems have certain advantages and disadvantages compared 
to declarative theorems- The chief advantage of Imperative 
theorems Is that they can be extremely powerful* Arbitrary 
LISP computations are permitted tn imperative theorems* 
Thus each theorem can contain the heuristics for its own 
use* For example a theorem ni^ht recommend certain theorems 
for some suhproblem that it creates* I would be very 
grateful to any reader of this paper who sends me examples 
of types of heuristics that cannot naturally be incorporated 
Into theorems for PLANNER. 

The central function of PLANNER is thprog which is Tike 
prog except that it treats PLANNER functions in a special 
way* When a failure occurs thprog hacks up to the last 
executed PLANNER function and tries again on a different 
branch of the tree that It Is searching! Some of the 
functions of PLANNER are 

Cproveabie a switch 1 Istof theorems) ; If the pattern a 
is proveahle without erasing anything then execute the next 
statement; otherwise fail. If switch is FIRST (ONLY) then 
1 Tstof theorems ar^ the first (only) theorems that will be 
used to try to chain hack From a. 

(ftoal a switch 1 I stoftheorems) t Goal Is like proveable 
except that erasures are pernltted. 

(consequent a): a is declared to be the consequent of 
the theorem. Whenever a goal fs created which matches the 
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pattern a, the theorem will be used to try to chatn 
backwards from the goal, 

(antecedent a)s a fs declared to be the antecedent of 
the theorem. Whenever a statement is asserted which matches 
the pattern a, the theorem will be used to try chain 
forwards from the statement* 

(assert a b switch 1 i stof theorems) : Record a as proved 
with reason b. If switch Is FIRST ((MLY) then 
1 istof theorems are the ffrst (only) theorems that will be 
used to try to chain forward from a, 

(finished): Indicates the end of the theorem. 

(threturn a)i Returns a as the value of the thprog in 
which ft appears. Threturn has not yet been inpl emented . 

(eraseaMe a): Record that a is eraseabTe, 

(uneraseahle a): Record that a ts uneraseable P 

(erase a switch 1 I stof theorems) £ If a Is eraseable 
then erase it and the statements that depend on It; 
otherwise f a il ♦ If switch is FIRST (ONLY) then use 
1 fstoftheoreros as the first (only) theorems to try to chain 
forward from the fact that the pattern a Is being erased. 

(fail): Causes a failure* 

(thfail); Causes the theorem to fail. 
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(hypothesize a); Assert a with the reason that Tt Is a 
hypothes 1 5 » 

(discharge): Discharge the last made hypothesis, 

(thset a b): Thset Is 1 f ke set except that the old 
value of a is remembered so that It can be restored! In case 
of failure, 

(thrplaca a b) and (thrplacd a b): These functions are 
like rplaca and rplacd respectively except that the old 
value of a Is remembered so that ft can be restored In case 
of failure* The functions thset, thrplaca, and thrplacd are 
very useful for manipulating models. 

(thgo a ) : Thgo Is lfke go except that In case of 
failure control Is returned to the place from where the 
transfer was made. 

The erase feature of PLANNER enables Tt to quite 
easily manipulate models. The following two theorems enable 
PLANNER it> build a tower three Cubes high* 

(TOWER (THPROG C$BLOCKX SBL0CK2 $flL0CK3 ) 
(CONSEQUENT (CAN TOWERAT MERE)) 
(GOAL (SBL0CK1 AT HERE LEVEL 0)) 
(UNERASEARLE (1RL0CK1 AT HERE LEVEL 0)) 
(GOAL ($BL0CK2 AT LPLACE LEVEL 1)) 
(UNERASEABLE ($RL0CK2 AT HERE LEVEL 1>) 
(GOAL ($RLOCK3 AT HERE LEVEL 2)) 
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(ERASFARLF (SRL0CK2 AT HERE LEVEL 0)) 
(ERASEABLE ($RL0CK1 AT HERE LEVEL 1 ))) 
(FINISHED) ) ) 

(MOVE CTHPROQ 

(SBLOCK $OTHERBLOCK SNEWLEVEL $WFWPLACF $OLDLEVEL 
SOLDPLACE) 

(CONSEQUENT (SBLOCK AT SNEWPLACE LEVEL $NEWLEVEL>) 
(PROVED (BLOCK $BLOCK)> 

(ERASE (SBLOCK AT SOLOPLACE LEVEL *0LDLFVEL>) 
(UNPROVED (JOTMERBLOCK AT $OLDPLACE LEVEL (-EVAL- (PLUS 
$OLOLEVEL 1))) 

(STATFFfNSHED) ) ) 

(BLOCK BLOCK1) 
(BLOCK RLOCK2) 
(BLOCK BLOCKS) 
(BLOCK1 AT PI LEVEL 0) 
(RLOCK2 AT PI LEVEL 1) 
(BLOCK3 AT P2 LEVEL 0) 

The theorem MOVE has a condition that It will not move any 
cuhe that has another cube setting on top of tt. Professer 
Papert pointed out that one could write the theorem MOVE 
differently. Instead of prohibiting the removal of the 
cuhe. It could brinp the cubes ahove the removed one 
crashing down I Thus we could have written 
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(MOVE (THPROG 

(IBLOCK SOTHERBLOCK SMEWLEVEL $NEWPLACE $OLOLEVEL 
SOLDPLACF) 

(CONSEQUENT (4RLOCK AT $HEWPLACE LEVEL $NEWLEVED) 
(PROVE!) (RLOCK $BLOCK)) 

(ERASE ($RLOCK AT $OLDPLACE LEVEL $OLDLEVEO) 
(THCONO ( (PROVED ($OTHERRLOCK AT $OLDPLACE LEVEL 
(=EVAL- (PLUS SOLDLFVEL 1))) 

(ASSERT (FALLING $0THER8L0CK)>) 
) 
(STATEFINISHED) ) ) 

(FALLING (THPROG (SRLOCK, $0THER8LOCK, $LEVEL, *PLACE> 

(ANTECEDENT (FALLING $BLOCK)) 

(ERASE (FALLING $BLOCK)) 

(ERASE (SRLOCK AT $ PLACE LEVEL $ LEVEL J) 

(ASSERT (SRLOCK AT SPLACE LEVEL (-EVAL- (MINUS UEVFL 
1}))) 

(THCOND ( (PROVED (SOTHERRLOCK AT JPLACE LEVEL (-EVAL- 
(PLUS REVEL 1>)) 

(ASSERT (FALLING $OTHERBLOCK) ) } 

> 

(FINISHED) ) ) 

To form a plan as to how to buftd a tower does not 
complete th« job. The tower must still be constructed! One 
way In which that might he accomplished Is as follows. 
After the planning phase Is completed the system should 
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writ** out PLANNER programs that actually carry out the job. 
For example the theorem TOWER above might create something 
like the following theorem. 

(MAKF.TOWER CTHPROG t) 

CGRASPBLOCK (AT PI LEVEL 1)) 
(MOVETO (HERE LEVEL 0)) 

(RELEASEBLOCK* 

(CHECK (CUBE AT HERE LEVEL 0)) 

(ORASPBLOCK (AT PI LEVEL 0J) 

(MOVETO (HERE LEVEL 1)) 

(RELEASEBLOCK) 

(CHECK (CUBE AT HERE LEVEL 1)) 

(GRASPBLOCK (AT P2 LEVEL B>) 

(MOVETO (HERE LEVEL 2)) 

(RELEASEBLOCK) 

(CHECK (CUBE AT HERE LEVEL 2)) 

(FIN (SHED) ) ) 

Of course if we wanted to build a tower ten blocks tall 
instead of only throe, then both MAKETOWER and tower would 
have loops Tn them. 

One Important problem in actually having the robot 
carry out an operation is that of unexpected input from the 
sense organs. For example a cube might slip out of its 
hand, At that point the robot must do some fast calculation 
to determine what has happened and what It should do next. 
It would he interesting to know whether the control led hack 
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up feature of PLANNER would help or hinder soluttons to this 
problem, 

PLANNER can do simple proofs In a decldable suhtheory 
of the quant if Icat ional calculus* The following theorems 
enable It to prove the transitivity of set theoretic 
i nelus Ion. 

(NEC (THPROG ( SA *B) 

(TH IMPLIES (THPROR CSX) 

(THIMPLIES (ELEMENT SX $A) 
(ELEMENT SX SB) 
) 
J 
(SUBSET SA SR) 



> ) ) 

(RUFF (THPROR (SA SB) 

(THIMPLI ES (SUBSET $A $B) 



(THPROR (SX) 

(THIMPLIES (ELEMENT SX $A) 



(ELEMENT SX SR> 



J 

(SUBSET $A $B) 



3 ) ) 



Note that THPRfJG serves as the universal quantifier. In our 
notation transitivity of set theoretic inclusion is 
expressed by 
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(TRANSET (THPROC < SA $B $CJ 

(TH IMPLIES (THAMU (SUBSFT $A $R) 

(SUBSFT $B $C) 
) 
(SUBSFT SA $C) 
> 
) ) 

Within the quant tf teat fonal calculus there are essentially 
two ways to prove a theorem of the form (R x) where x Is In 
the VAR mode* The first method is to assume (thprog (x) 
(thnot CR x))) end then attempt to derive a contradiction. 
The other method ts to derive as many consequences as 
possible from (R x)--say (Rl x), (R2 x), tt , t (Rn x)-and 
then attempt to cons up an object that will satisfy the 
consequences. For example we might write the following 
theoreni to construct the midpoint of a line segment: 

(CONSTRUCT (THPROO ($P1 SP2 SP3) 

(CONSEQUENT (EQUAL (DISTANCE $P1 $P3) (DISTANCE $P3 
SP2))) 

(PROVED (POINT SP1 }) 

(PROVED (POINT SP2)) 

(THCOND ( (CONSTP $P3) (THFA1D) 3 

(MSET (QUOTE $P3) (QUOTE (MIDPOINT $P1 *P2))) 

(ASSERT (POINT $P5>) 

(FINISHED) 
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) > 
(POINT A) 

(POINT B) 

CONSTP Is a predicate which tests to see if Tts argument Is 
tn the CONST mode. If asked to prove (EQUAL (DISTANCE A $Y) 
(DISTANCE $Y B>) where $Y Is tn the VAR mode, PLANNER would 
give $V the value (MIDPOINT A B), Theorems such as 
CONSTRUCT can cause PLANNER to go fnto a loop if they art* 
not used with care. PLANNER can do simple proofs by 
contradiction If It Is told the statement to he 
contradicted. For example If we wanted to prove (not a) by 
contradiction on c we could say (hypothefse a) tproveable c) 
(proveable (not c)> (discharge). fn this way we could prove 
(not a) from the theorem (implies a (not a))* Of course In 
order to do general proofs in the quant »fi cat Eonal calculus 
we would have to write considerably more complicated 
theorems. My present goal in this area is to make PLANNER 
prove that the limit of the sum of two sequences is the sum 
of the limtts of the sequences. 

I would like to thank Professor Mtnsky for suggesting 
that I Investigate the problem of getting PLANNER to swap 
the contents of two machine addresses on an IBM 7094. 
Suppose that a is In addressl, b Is Tn address2 # and 
randomness Is In address^. The following theorems will swap 
the contents of addressl and address^* 
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(SWAP (THPkOG 

(*ADD1 $ADD2 SA $R $ADDA $AT)0B) 

(CONSEQUENT (SWAP $ADD1 $ADD2)) 

(PROVED (CONTAINS $AD01 $A)) 

(PROVED (CONTAINS $ADD2 $B)> 

(PROVED (CONTAINS $OTHERAD0 =)) 

(GOAL (MOVE SADD1 SOTHERADO)) 

(PROVED (CONTAINS SADDR $B)> 

(ROAL (MOVE $ADDB $ADDD) 

(PROVED (CONTAINS $ADRA $A)> 

(ROAL (MOVE $ADDA SADD2)) 

(FINISHED) 
) ) ) 

(CONTAINS A0DRESS1 a) 
(CONTAINS ADDRESS2 hi 
(CONTAINS ADDRESS3 0) 

(MOVE (THPROfi 

($A0D1 $ADD2 SCONTENTS) 
(CONSEOUENT (MOVE $ADD1 $ADD2)) 
(PROVED (CONTAINS *ADD1 $CONTENTS ) ) 
(ERASE (CONTAINS SADD2 «)) 
(ASSERT (CONTAINS JAD02 $C0NTENTS>) 
(FINISHED) ) ) 

If we were to examine the protocol produced hy PLANNER as It 
solves the problem, we would find that It goes up a couple 
of blind alleys before It finally finds the correct 
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solution. We would Ilk* to try to write theorems for 
PLANNER that would enable It to analyze simple protocols 

and try to make changes In the theorems that produced the 
protocols In order to make the solutions more 
stra 1 Rhtforward* Thus the fourth statement of the theorem 
SWAP might be changed from (PROVED (CONTAINS $OTHF_RAOP =)) 
TO (PROVED (CONTAINS (-AND- $0THERAM> <*NOT» t=0R = $AflDX 
$AF>D2))) «)). Similarly we could try to get PLANNER to 
generalize the theoren TOWER (above) by replacing HERE 
throughout by $PLACE* Then PLANNER would be able to build a 
tower anywhere Instead of only at the place HERE* Inserting 
and deleting statements from theorems are other simple 
manipulations which ar^. feasible for PLANNER, PLANNER will 
have to do a gigantic Inefficient search In order to learn 
to do some simple class of tasks* Subsequent 1 y, it should 
:: r a h 1 e to p roceed s t ra 1 Eh t f o rwa r d 1 y f n r t ho class of 
problems* If It should hit a snaR # PLANNER should attempt 
to modify the procedure that has worked in the past In order 
to £et around the difficulty* Protocol analysts provides 
important clues to show where and how theorems should be 
modified* Attempting to make changes In theorems without 
the help of protocols from those theorems appears to he an 
untractahle problem. It has been suggested that the 
protocol analyzing theorems be used to try to improve 
themselves. Unfortunately It will be quite a long time 
before bootstrapping In this way will be fruitful. At the 
present time It ts necessary to write very complicated 
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theorems to analyze even the most trivial protocols. 
Furthermore any Increase tn the power of the protocol 
analysis theorems would seem to call for evert more complex 
theorems* 

The following two theorems Illustrate how PLANNER can 
be made to solve geometric analogy problems such as those 
solved by Evans's program, 

(ANALOGOUSRA (TNPROG ($B SA *TYPER) 
(CONSEQUENT (ANALOGOUSRA $B sA)) 
(PROVED (TYPE SB $TYPER) ) 
(PROVED (TYPE SA STYPEB)) 
(FINISHED) ) ) 

(ANALOGQUSAC (THPROG (SA SC $PREDICATE *ARGSA1 -ARGSA2 
*ARGSC1 *ARRSC2) 

(CONSEQUENT (ANALOGOUS AC $A SC)) 

(THCOND C (PROVED (TESTANALOGOUSAC $A $C>) 

(FINISHED)) ) 

(PROVED (OBJECT $A)) 

(PROVED (OBJECT $C)) 

(THCOND ( (PROVED (TESTANALOGOUSAC $A (-NOT- $C ))) 
(FAIL)) ) 

(ASSERT (TESTANALOGOUSAC $A SO) 

(PROVED (RELATION SPREDICATE)) 

(PROVED (SPREDICATE *ARGSA1 $A *ARGSA2))) 

(PROVED (SPREDICATE *ARfiSCl SC *ARGSC2)) 
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(PROVFABLE (CORANALOROUSAC (*ARGSA1) (*ARGSC1))> 
(PROVEARLF (CORANALOROUSAC (*ARGSA2) C*AROSC2))) 
(FIMSHEO) ) ) 

(CORAMALOGOUSAC (THPROC, ( SA *A $C *C> 

(CONSEQUENT (CORANALOROUSAC (*A *A) (SC *C>)) 
(THCOND ( (PROVED (TESTANALOGOUSAC $A SO) (THRO REST)) 
) 

(PROVEABLE (ANALOGOUSAC $A $C)) 

REST (PROVEARLE (CORANALOROUSAC (*A) (*C))> 
(FINISHED) 

) ) 

(TYPE TRIANGLE) 
(TYPE RECTANGLE) 
(TYPE CIRCLE) 
(RELATION INSIOE) 
(RELATION LEFTOF) 
(CORJECT CI) 
(TYPE CI RECTANGLE) 
(CORJECT C2) 
(TYPE C2 ELLIPSE) 
{AOBJECT Al) 
(TYPE Al TRIANGLE) 
(AOBJECT A2) 
(TYPE A2 CIRCLE) 
(RORJERT Rl) 
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(TYPE Bl TRIANGLE! 
(RORJECT R2) 
(TYPE B2 CIRCLE) 
(CORANALOGOUSAO () <)) 
(INSIDE Al A2) 
t INSIDE CI C2> 
(LEFTOF Rl B2> 

If you ask PLANNER to prove (ANALOGOUS AC Al $X) where $X Is 
In the VAR mode, then It will ?, f ve $X the value CI, UsiriR 
the ahove theorems as models the reader should he ahle to 
write the other theorems necessary to solve the analogy 

he low 
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Analogy and general 1 zat ion play a very Important role 
In theorem proving. For example the proofs of the 
uniqueness of the identity element, the zero element, and 
inverses Tn sen 1 -groups are closely related. The 
def f nl t tons ere 

(equivalent (Identity e) (forall (a) (implies (equal (tiroes 
a e) (times e a) a)))) 

(equivalent, (zero z) (forall (a) (Implies (equal (times a 
z) (times z a) a)) )) 

(implies (identity e) (equivalent (Inverse bl b) (equal 
(times bl h > (times b bl) e))) If we suppose that e 1 , z*, 
and bl' ar^ e respectively Identity, zero, and Inverse 
elements then the solutions are 
(equal e (times e' e) ft 1 ) 
(equal z (times z 1 z) z 1 ) 
(equal al (times al 1 a al) ai'J 

Thus the general form of the solution is (equal w string 
w 1 ) where string algebraicly simplifies to w and w*. It 
would be a straightforward to write theorems for PLANNER 
that would enable the program to recognize the very 
particular above kind of analogy* But this Is not the way 
in which we would ultimately like to approach the problems 
of analogy and generalization in theorem proving. What we 
need is a way to search analogy space and generalization 
space In a manner similar to the way In which SCHEMATIZE 
searches Island space for plans. A reasonable approach 
toward accomplishing this would be to construct a helrarchy 
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of theorems around the the various predicates for types of 
analogy such as those Introduced above* 

The ability of PLANNER to write theorems whfeh tt can 
later execute potentially gives it very great powers of 
generalization and abstraction- We do not yet know how to 
effectively utllyie this power. At present the principal 
use of thSs ability has been to atd in the Implementation of 
a dec J dab le sub theory of the quant If icat ional calcul us* 
Perhaps It will prove fruitful for planning programs to 
create PLANNER theorems such as MAKETOWFR above fn order for 
the robot to carry out the plan. Also the ability to create 
programs onahles the computer to put several small 
procedures together In order to accomplish a larger task* 
Usually some fudging Is necessary between the smaller 
procedures in order to make them work together, 

PLANNER was first developed as a simple planning 
mechanism and model manipulator for a robot* Its structure 
permits the use of macro steps tn constructing plans of 
action for the robot. There might be some confusion as the 
purpose of PLANNER as a general theorem prover. PLANNER is 
not Intended to show that a computer theorem prover does not 
need knowledge and expertise tn the domain In which Tt 
works* To the contrary PLANNER should be used as a 
meta-theorem prover with as much knowledge as possible built 
Into Its theorems* In the last decade many programmers have 
constructed heuristic tree searching problem solvers* Many 
of the the problem solvers have detailed knowledge of their 



44, 



intended domains built into their structu*, I would 1 f k*> to 
investigate how much of the knowledge of the programs can be 
natural 1 y 1 ncorporated J nto theorems for PLANNER - 
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A #reat deal remains to be done to remove some of the 
limitations associated with general theorem provers* Much 
of our trouble stems from the fact that we do not yet even 
have the beginnings of a mathematically rigorous theory of 
tree searching* Nor do we have much theoretical 
understanding of the process of proving theorems. 
1 ndependent of more general theoret Teal cons T do rat ions , 
general theorem provers have fnportant limitations relative 
to more special purpose problem solvers. In any given 
problem area , PLANNER will certainly prove to be less 
efficient than a special purpose problem solver fn the 
problem area for y/hfeh the latter was designed. However/ 
part of this Inefficiency can be avoided by writing very 
special theorems for PLANNER. Also, PLANNER will become 
much more efficient whan I have completed a compiler for it* 
PLANNER is sufficiently powerful that I can write the 
compiler In PLANNER and then bootstrap ft. The argument of 
Toss of efficiency In general theorem provers will lose much 
of Its force once we have the hardware to search the 
branches of the goal tree in parallel. 

The prohlen of representation for theorem proving 
systems has attracted Increasing attention from researchers 
in recent years. The problem has the following aspects: 
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1* Input representation of problem 



2 + Internal representa 1 on of problem 
3* Ability of the theorem prover to change 
representat Ion 

Inadequate ability to represent concepts necessary for the 
solution of problems can severely affect the performance of 
a problem solver* For example the fixed Inflexible Input 
format of fiPS-2-6 greatly limits the generality of the 
problems that it can solve* In PLANNER there ts no 
distinction between fnput representation and Internal 
representat ton. Furthermore theorems for PLANNER make no 
distinction between a problem to change the represents Ion of 
a problem and any other kind of problem. For example it Is 
straightforward to write theorems for PLANNER which will 
enable it to recognlaft that the games t Ic-tac-toe, number 
scrabble, and jam are isomorphic* The chief difficulty with 
the theorems to recognize the Isomorphism Is that they ar^ 
applicable only to this very specific problem. What we need 
to do is to write a system of theorems that can recognize 
Isomorphism within a very wide class of games. 

Almost all the problems that have been solved by 
general theorem provers thus far have been rather trivial* 
The chief reason for this has been that heretofore enough 
core storage tn attempt more ambitious problems has not been 
available. Thus the following question has arisen; Can the 
terrhn (cures which have been developed to handle toy problems 
be extended and generalized? I think that we will see the 
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question answered In the affirmative In the next few years 
as more core memory becomes availahie to users* I am 
presently working on two problems to show how theorens for 
PLANNER can solve harder problems. The first problem Is to 
write SCHEMATISE In PLANNER, The second is to write 
theorems which solve the problem of how to put Soma Cubes 
together to make fairly arbitrary block figures. Roth 
problems require a large number of theorems arrao^r-d fn 
Interlock! ng hi erarch ies, Hopeful 1 y, th i s work will 
eventually become part of a thesis* 
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The Philosophy of the System 

SCHEMATISE was designed And MATCHLESS was programed In 
the? fall term of 1966-1967* SCllFMATrSF Is Intended tn 
provide global methods for the computer to use to prove 
theorens In logic systems of a vptv shiple type. One Idea 
Is to use Invariants of the theorem net In order to more 
quickly find proofs. For example one invariant of a theorem 
net Is f ts place holder goal tree . Let (n preri) be the nth 
place holder of the predicate pred. The place holder goa 1 
tree for the predicate at In the theorem net In the first 
chapter Is shown tn the figure below. The advantage of 
usIjik Invariants of the theorem net for thTs purpose is that 
although they can be used In many problems they only have to 
computed once for each theorem net* 

Another global method In SCHEMATISE Is the use of 
schematized goal trees. The philosophy behind the Idea of 
schematized goal trees Is v^.ry simple* Vie interpret 
subgraph* of the theoren net as subtbeories. Quotient 
graphs ^\r^ syntactic planning theories. The space used by 
G.P.S, In which connectives ere left out of propos i t ional 
formulas Is an example of a syntactic planning theory. 
HomariHjrphi sms from one space into another are interpreted as 
analogies between theories. Thus there is always an analogy 
between a theory and one of Its syntactic planning theories. 
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/« trivial kind of honnnorpM sn Is exemplified by the 
symmetry of varfables recognized by Gelenter's geometry 
theorem prover. These hornonorph i sms are trivial because 
they map predicates identically onto themselves- Also the 
use of these homonorphf srns is covered by a constructive 
netatheorem. A metatheorem Is interpreted as a theorem 
about certai n cl asses of theory nets* Cons truct Ive 
metatheorems represent the best of all possible worlds for 
the theorem prover. Metatheorems save the theorem prover 
the work of doin& basically the same kind of proof over each 
time it comes to a problem for which it has a relevant 
-'netatheorem, Working In a theory over the theorem nets 
(that is metatheoret 1 ca 1 1 y) , the theorem prover can obtain 
insights and results that would otherwise be Iriposs i ble, A 
more interesting example of a homoniorplil sro Fs given by the 
analogous proofs by diagonal izat (on of the incompleteness 
theorem and of the existence of nonrecursive predicates* 
Suppose thore fs a bomomorph f sm hi from theorem net Tl into 
theorem net T2 and a homomorph « sm h2 from theorem net T2 
into theorem net T3. One can sometimes obtain a proof of a 
proposition Q in T3 by first obtatnEn£ a schematized proof 
PI in Tl, extending hl(Pl) to a proof P2 in T2 / and then 
finally extending h2(p2) to be a proof of Q. Thus we have 
an elementary theory of multi-pass theorem provers* It \s 
also useful to look at the homomorph ic Images fo the given 
theorem net since thf»y Induce quotients back on the piven 
space. 
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PLANNER Is designed to be an extendable flexible 
system for manipulating an Internal nod ft 1 of a dynamic 
world. In Its world arbitrary objects can be created and 
destroyed at will* The world of PLANNER contrasts strongly 
with the static world nf the quant I f I cat lonal calculus. In 
order to obtain greater flexIblTllty and general i ty, PLANNER 
does not maintain a rltffd barrtar hetween the imperatives 
(theorems) that take some act ton fn Its world and 
con pi Icated declaratives (theorems) that state some fact 
about F ts world. PLANNER often uses the sane S-express ion 
as an imperative and as a declarative depending on the 
context* There Is &n analogous situation In mathincnatlcs 
where the quant If f cational calculus (a theory of 
declaratives) Is strong enough to represent the recursive 
functions (the imperatives)^ Furthermore one can regard a 
wff In the quant if i cat ional calculus v/lth free variables as 
a predicate. Assume that for each procedure P we have a 
declarative D f called the Intention of P) that says ho 1 ,; P Is 
Intended to be used. Now D does not determine P* If there 
Is one way to realize a tffven Intention then there are 
Infinitely many ways to realize It, Also It nay happen than 
an Intention cannot be realized at all* For example the 
following Intention 1$ realized hy no procerfurf* P: P solves 
the halting problem* Usln* Intentions the theorem prover 
can proceed to debus? a procedure P as follows! given an 
argument a such that P(a> violates Its Intention check the 
subprocedures of P to see if any of them violated their 
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Intention while P(a) was being computed. If so then proceed 
to find the bug In the sub-procedure of P. If not then 
there Is h hup. in P. Check the Intentions of the statements 
of P to ffn<? the statement of P whose Intention was 
violated. For example In the problem to exchange the 
contents of two locations the Intent Ton that $OTHERAf>D be 
different from both $ADPI and S/DD2 was violated* As 
Illustrated by the example of bu tiding a tower, the standard 
way in which PLANNER trys to find a procedure which 
satisfies a Riven Intention Is to first figure out an 
algorithm which satisfies the intention and then write a 
procedure which uses the algorithm. G I ven tHe knowledge of 
how to cause an Imperative to act, PLANNER can sometimes 
find out what the imperative means , For example hi Eosser's 
axiom system for the propos I t lonal calculus the meaning of 
the general procedure by which you can obtain a proof of 
(Implies a b) from the proof of b starting from a is the 
Deduction Theorem for Rosser's axl omat izat Fon. Conversely 
we can try to analyze how a theorem can be applied, 
Class i ca 1 theorem pro vers keep the! r decl a rat 1 ve know! edge 
rijvidily separated from their imperative knowledge. 

From the point of view of program graphs, there are 
essentially two kinds of heuristics in PLANNER theorems. 
The first kind (called selectors ) choose which branch of the 
problem tree to search next. The second hind (called 
rejector.^ ) determine when to stop working on a branch of the 
problem tree. At a hi^h level selectors should use 
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planning/ analog ies, and links In models to help make 
plausible choices. Rejectors can try to prove the ne^ati^n 
of a proposed Ronl or try to find a counterexanpl e to It. 
Due to overriding cons £ derations of efficiency, a practical 
theorem prover must be as close to a decision procedure *s 
possl hie. Re J ectors and sel ectors supplement each other . 
For example fn elementary plane geometry, counterexamples 
fron dtar.rar.is make such a Rood rejection heuristic that very 
good selectors are not needed. On the other hand since 
Samuels's checker player can choose the correct move at each 
ply over half the time, It Is less dependent on Its static 
evaluator as a rejector. One can view rejectors as special 
cases of selectors In which the null choice is made. 

PLANNER has many of the features that are desireable 
for a lan^ua^e In which to */rite a domain i ndenendent 
planner for proving theorems, A domain independent planner 
is a pror.ram that operates by accepting as input knowledge 
of a domain D (including both declaratives and Imperatives} 
and a theorem T In the dona In D and outputtinp: a plan for 
the proof of T. The justification for a domain Independent 
planner Is the thesis that there Is a large body of 
techniques and s t ra te^l es common to nathenat leal domains 
such as lopjc, algebra, set theory,, and analysis. The 
ultimate goal Is for a domain Independent planner to be able 
to read a book written In a formal lan^ua^e on some 
nathenat teal donaln D and then be able to constuct plans for 
the proof of theorems in D, Admittedly It is not an easy 
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task to construct a dona En 1 ndependent planner for even a 
trivial class of domains* Up to the present time the 
l-Titto -n of r' ''--:• or rcii I r .-ir 1 1 f\ c i f 1 t ■ to] ] \ •. oocn I , i, hen-; tc: 
construct programs that straightforwardly search £oal trees 
ill the level of the given ax Ions and ru les of 1 nf erencg of 
soric spec! all zed domain. Although the previous work has 
made valuable contr I but ions, 1 1 does not automat teal 1 y 
produce a domain Independent planner. There are many 
difficult problems tn the construction of a domain 
independent planner that have not arisen in the work on 
special Ized dona I ns . Thus work on doma in 1 independent 
planner has Its own Independent rlrht to existence as a 
prob len In artificial i rite IT Icence # 

In a limited sense PLANNER Is "aware" of what It Is 
dofri£ when It Is trying to prove some result since each 
theorem has coup let* access to the sub^oals and procedures 
that are beln^ used to try to obtain the result. For It to 
be "aware" of what tt Is damp; in s deeper sense, PLANNER 
must he able to easily translate From intentions to 
procedures which real ize those Intent ions and from 
procedures to the meaning of those procedures. In 
particular it must be able to do so for the Intentions and 
procedures that constitute the theorem prover. 
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PLANNER Is a language for proving theorems and 
Manipulating models* It can prove theorems In a typed 
second order quant I f tcati onal calculus with erasing. The 

declarative-Imperative duality of its theory is basic to 
understanding hovr the language works. The lanj*u%ir,e Itself 
is domain independent- Vie may think of the Taoj*unfte as 
divided into two parts: bookeeplnu and default conditions. 

The defaul t cond I t Ions const 3 tu tt the doma f n 

independent knowledge of the theorem prover* Suppose the 

goal of the theorem prover Is to prove (Implies a b). In a 
default condition PLANNER will usually assume a and try to 
prove b* If that doesn T t work/ then It wMT usually assume 
(out b) and try to prove (not a)* The default conditions 
allow PLANNER to do a reasonable amount of search. Thus 

the default conditions uould not assume (not (implies a hi) 
and attempt to derive a contradiction* Of course this does 
not i:iean that we connot do resolution In PLANNER* It stmply 
will not be done by default* Another exanple of a default 
condition Is that (not (not cj) simplifies to c* The last 

example is Interesting because It i>otnts out an Interesting 
parallel between theorem proving and algebraic manipulation. 
The two fields face stnllar problems on the issues of 
s irnpl ! f 1 cation, equi val snee of express ions, I rterinedfate 
expression bul^e, and man-mach Inn Interaction, of course In 



5^ 



any particular case, the theorems need not allow PLANNER to 
lapse Into Its default conditions. 

All dona In dependent knowldege Is contained In the 
theorems (imperative and declarative). The theorems can do 
arbitrary amounts of computation. They have the full 
recursive power of PLANNElt available to help them with their 
problems* For example an assertion can recommend theorems 
to be used to attempt to draw conclusions from what Is 
asserted* Messages can be sent to lower level theorems to 
try to Get thern to produce better answers to some question 
that a higher level theorem Is asking. Consider the 
following functions, 

(defprop among 
(thlamhda CI) (thprog O 
start (thcond ((null 1) (fall))) 

(setq 1 (cdr 1)) 

(fallp (fallto start)) 

(threturn (car 1)) )) expr) 

Cdefprop foo (thlambda (b a) C thcond 

((greaterp a b) a) 
(t (fail)))) 

expr) 

Thus the value of (foo S (among (quote (2*6)))) Is 6* If 
the predicate fallp detects a failure then It executes Its 
argument* The function fallto causes failure to the tag 



which Is Its argument. The function among successively 

takes on the elements of fts argument 1; t*e* 2 then k then 
G, Clearly the computation would he faster If foo were to 
assert that "among" should produce a value greater than 5 
and "among" were to take this advice. It will sonet fines 
happen that the heuristics for a problem &re very ^ood and 
that the proof proceeds smoothly until almost the very end. 
At that point the program gets stuck and lapses into default 
conditions to try to push through the proof. On the other 
hand the program might grope for a while trying to get 
started and than latch onto a theorem that knows how to 
polish off the problem In a lenrcthly but fool proof 
computation* PLANNER is designed for use where one has a 
great number of procedures (theorems) that night be of use 
in solving some prohlero alonj; with a general plan for the 
solution of the problem. The language helps to select 
procedures to refine the plan and to sequence through these 
procedures in a flexible way in case everything doesn't eo 
exactly according to the plan. The present default 
conditions can and will be extended but 1 don't think that 
by themselves they will ever be able to prove deep 
mathematical theorems. Nor do I believe that computers can 
solve difficult problems where their domain dependent 
knowledge is limited to a finite-state difference table of 
connections between goals and methods* 

A straight foriyard compilation of programs written in 
PLANNER produces very inefficient code For the lan^ua^e to 
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practical/ the compiler must be able to cut corners while at 

the same time producing correct code* Thus the comptler 
should he able to provn that In each case ft has Indeed 
compiled a progran correctly, McCarthy end hfs students 
have used the alternative approach of tryFng to prove the 
compiler correct once and for all* The PLANNER conpller 
should be extendable in that it should accept new heuristics 
at dny time and that programs to be compiled should be elhe 
to make recommendations as to how they should be compiled. 
Thus we ere led to consider the equivalence problem for 
programml np languages. In the following the s-express f ons 
enclosed in <> are first order Intentions. Intentions ere 
defined to be predicates that should be true when control 
passes through them. Variables that begin with a single °< M 
are first order intention variables. Intentions are allowed 
to reference but not to modify program variables. For 
example the following prolans are all equivalent* 

(defprop factl 
(lambda Cn) (corid CCIessp n 1) 1) 

(t (<t (lambda (<b>) Cequal <b> (factorial 
n)»> 

(ti^es n (factl Csubl nJ>)))> 
expr) 

Clap factla subr) 
(<block> ((<n> (addr 1))) 
(push p 1) 
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Crwve? 2 (quota 1)) 
(call 2 (function *less)) 
(jumpe la) 
froovel 1 (quote 1)) 
(Jrst b) 
a 

{move 1 p) 

(cal I 1 (function subl)} 
(call 1 (function factla)} 

<<(equal (addr 1) (factorial (subl <n>)))>) 
(move 2 p) 

(call 2 (function *tlmes)) 
b 

(sub pUO'Oll)) 
) 

(pOPJ p) 
<) 

In factla (addr 1) Is the address of accumulator 1 an»i 
<block> declares the Intention variable <n> to he equal to 
(addr 1)* 

(defprop fact2 
(lambda (n) (<block> <(<b> n>) (prog (a) 

(< (advice (proof type of (equal a (factorial <b>)> Is 
numer ! cal -I nductT on on n from to 1nffn1ty})>) 
(setq a i) 



G& 



again (cond ((lessp n 1) 

t<(equat a (factorial <b>))> (return a)))) 
(setq a (tim«s n a)) 

(setq n (subl n)) 
(go again) ))) exi>r) 

( lap fact2a suhr) 

(<block> ((<n> (addr 1 (<p> (addr p))) 
(push p (^ (quote 13)) 

(push p 1> 

a 

(movet 2 (quote 1) ) 

(move 1 p) 

(call 2 (function *1ess)) 

(jumpe 1 b> 

(move 1 -1 p) 

(<(equal (addr 1) (factorial <n>))>) 

(jrst U c) 

b 

(move 2 -1 p) 

(move 1 p) 

(call 2 (function *times)) 

(movero 1 -1 p) 

(move 1 p) 

(call 1 (function subl)) 

(movem 1 p) 

(jrst a> 
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C 

(sub p (% 2 2)) 
<<(eq <P> (addr p)>) 
(<(no-std&-effects)>) 

(<(no-f ree-var|abl es )> ) 

) 

(popj p) 
O 

The function <block"> declares that the Intention variable 
<b> should have the value of n and returns its second 
argument as value* 
(definition (Iff (equal (fact3 n) a) 
(or (and (lessp n 1) (equal a 1)) 

(and (not (lessp n 1)) (equal a (times n (fact3 

(SUbl I.))))))))) 

(defprop fact 1 * 

(lambda Cn) (prog (a b> 
(setq a 1) 

(cond ((lessp n 1) (return a))) 
(setq hi) 
again (cond ((equal b n) 

(return a)) 

> 
(setq b (addl b)) 
(setq a (times b a)) 
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(go aeain) 
)) expr) 

Factl and fac*2 are schema t Seal ly equivalent to each 
other, I.e. they are equivalent solely on the basis of the 
meaning of the LISP logical primitives. Proving that fact'4 
Ts equivalent to the others Is slightly nontrlvial sfnee It 
[nvol ves the assocf at T vi ty and cowiutatl vi ty of 
multiplication. The quantity Included in the <> ts the 
intention for that piece of code. The first s-e*presslon In 
the <> Is the intention hefore the function Is entered? the 
second, if present. Is the Intention for the value. Note 
that in this connection that it is convenient to treat the 
quantlf Icattonal calculus as a programing language. 

The Intentions of a program are useful for -i variety of 
purposes, included In the protocols of a function, they 
provide valuable Information on how to combine t1»e protocols 
in functional abstraction. They are very useful in 
attempting to prove that a function satisfies its overall 
intention or to prove that two functions are equivalents If 
PLANNER constructs a function which supposedly bui Ids 
towers, it needs to be able to prove that the towers that 
the function can construct are all stable. Without out any 
ultimate loss In efficiency, a function can be run \t\ a 
debugging mode in which the processor checks the intentions 
of the function as It executes the function to make sure 
that they are satisfied. At the present time computer* are 
much worse than mathematicians at proving that two prolans 
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are equivalent. Even if computers were to greatly Improve*, 
there are crave difficulties in usfng them as a practical 
solution to the debugging problem. It fs difficult to ffniJ 
reasonable Intent Ions that adequatel y charac tcr I z& the 
output In terms of the Input for many functions (for example 
system programs and very highly recursive programs), 
ccevertheless, work on this approach to debu^gln^ problem 1* 
Independently valuable. It increases the power of the 
computer to prove fncts about functions. Only experience 
can teach us how severe the practical difficulties are 
toward this approach to the riebufiftlHR problem. 



